Re: Prevent Domain Users From Browsing Around in Active Directory?

Unfortunately, that did not work.
The user can still right click on empty space, select VIEW, ADVANCED
FEATURES and they are no longer stuck in the OU. They are popped back at out
the root of the demain where they may get lost or browse around nosily.
I am not worried about them right clicking on objects the OU they are
assigned, but I need to force them to stay in that OU.

"Ace Fekay [Microsoft Certified Trainer]" wrote:

In news:94E335DE-7162-4C5A-B976-B8244B06CF92@xxxxxxxxxxxxx,
Mygposts <Mygposts@xxxxxxxxxxxxxxxxxxxxxxxxx>, posted the following:
This is MMC 3.0.
I don't see any option to turn that off. Users can still right click
empty space and choose View, Advanced Features and it then pops them
out of the desired OU to the root of the domain.

It's a matter of which options you've chosen. Version 2 and 3 are pretty
much the same, just look a little different. Follow this sequence. This is a
guideline. You can customize this as well.

Custom ADUC MMC:


The last ones I created for one client, and one for each 'location' OU, I
left the rt-click context, and the tree view (left pane and right pane), but
I removed everything else including the file menu buttons and such. So under
View, Customize, uncheck everything except the top one that says Console
Tree. This way they can't go up level or click any of the things in there.
But they will have the rt-click feature.

MMC 2 and 3 are the same:
Start/run/mmc enter
File/Add Remove Snap-in/Add ADUC
Drill down under the domain to the OU you want.
Rt-click on that OU, new window from here.
A new window pops up with the OU in the left pane and the contents in the
right pane.
Close the original ADUC window leaving the new window you just created.
Expand the window to take up the whole console.
Now they will not be able to go up levels and are 'stuck' in this OU.
View/Customize
Uncheck everything but Console Tree.
File/Options Choose Console Mode:
User mode: Limited Accessm single window
Check: Do not Save Changes to this console
Uncheck: Allow the user to customize views
Save it. Logon as a test user delegated whatever perms to do on those users
and test it.

If you want to eliminate the rt-clicking on a user account, uncheck the
Console Tree above and change the console view by rt-clicking on the OU,
choose New Task View, and choose a vertical or horizontal list, then choose
to create a new task, menu command, highlight a user account, choose reset
pasword, or anything else in the right column, choose an icon, and finish.

Copy the MSC file via a UNC connected to the delegated person's
workstation's Doc and Setttings\username\desktop folder.

Then copy over two DLLS files to their system32 folder:

adprop.dll (for object properties)
dsadmin.dll (ability to alter object properties)
dsprop.dll (for object properties related to directory services)

(All three of these are needed on a 2003 DC or the ADUC won't open. However,
on a client machine, you only need two. If I were to allow users to change
passwords and create a custom MMC for just that OU, then all I need is
adprop.dll and dsadmin.dll).

Then I use PSEXEC to regsrv32 them into their machines. Then email them or
call them and tell them to get off their butts and get working...

Ace


.

Relevant Pages

  • Re: Prevent Domain Users From Browsing Around in Active Directory?
    ... The last ones I created for one client, and one for each 'location' OU, I left the rt-click context, and the tree view, but I removed everything else including the file menu buttons and such. ... So under View, Customize, uncheck everything except the top one that says Console Tree. ... A new window pops up with the OU in the left pane and the contents in the right pane. ...
    (microsoft.public.windows.server.active_directory)
  • Re: 2 problems (editing Contact objects and disappearing entries in address book)
    ... View, Customize, uncheck everything except the top one that says Console ... But they will have the rt-click feature. ... Rt-click on that OU, new window from here. ...
    (microsoft.public.win2000.active_directory)
  • Re: working set and console applications
    ... I created a windows application and then I created a child console process ... that I started from the parent process using CreateProcess. ... I minimize the child console window it also causes the working set of the ...
    (microsoft.public.win32.programmer.kernel)
  • Re: How to minimize command mode window in console program?
    ... to set some property to minimize the console window. ...     ByVal hWnd As IntPtr, ...     End Sub ...
    (microsoft.public.dotnet.languages.vb)
  • Re: Console applications window size
    ... AllocConsole() or AttachConsole. ... You already have a console, ... SMALL_RECT srWindowRect; // hold the new window size ... >exe from a cmd prompt, the same cmd prompt gets bigger properly. ...
    (microsoft.public.vc.language)